Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

Logo for Cisco Secure Access
Cisco Secure Access - Add Observable to Destination List
Cisco Managed
This workflow appears in the pivot menu and allows a user to add an observable to the configured destination list in Cisco Secure Access.
Pivot Menu
Learn more
C
Cisco XDR - Add Observable to Intelligence Feed
Cisco Managed
This workflow appears in the pivot menu and allows you to add an observable to a threat intelligence feed in Cisco XDR.
Pivot Menu
Learn more
Logo for Jamf Pro
Jamf Pro - Remove Computer from Static Group
Cisco Managed
This workflow appears in the pivot menu and allows you to remove a computer from a static group in Jamf Pro.
Pivot Menu
Learn more
Logo for Microsoft Entra ID
Microsoft Entra ID - Disable Users
Cisco Managed
This incident response workflow allows you to disable one or more users in Microsoft Entra ID from a playbook.
Incident Response
Learn more
Logo for SentinelOne Singularity
SentinelOne - Add Hashes to Blocklist
Cisco Managed
This playbook task workflow can be added to an incident response playbook and allows you to add one or more SHA1 file hashes to the blocklist in SentinelOne.
Playbook Task
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Automation Rule - Update Incident Properties
Cisco Managed
This workflow allows you to update an incident's properties.
Learn more
XDR - Contain Incident: Assets
Cisco Managed
This workflow consumes one or more hostnames and attempts to isolate matching endpoints in all supported products.
Learn more
XDR - Identify Vulnerabilities
Cisco Managed
This workflow consumes one or more hostnames and attempts to fetch vulnerability information from all supported products.
Learn more
XDR - Restore Domains
Cisco Managed
This workflow consumes one or more domains and attempts to restore them.
Learn more
XDR - Restore IP Addresses
Cisco Managed
This workflow consumes one or more IP addresses and attempts to restore them.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.